ETW_REALTIME_CONSUMER

The ETW_REALTIME_CONSUMER structure is the kernel’s representation of a real-time event consumer that is connected to a logger. It is a formal object, with handles and access control. The object type is named EtwConsumer. Note that the kernel has no exported variable for this object type, presumably because only the kernel is ever involved in interpreting a handle that refers to such an object.

Documentation Status

The ETW_REALTIME_CONSUMER structure is not documented.

Layout

For a non-trivial structure that is plainly very much internal to the kernel, the ETW_REALTIME_CONSUMER has been very stable, if only since version 6.1 settled on making the structure into an object type. The following changes of size are known.

Version Size (x86) Size (x64)
6.0 0x40 0x60
6.1 0x50 0x88
6.2 0x4C 0x88
6.3 to 1511 0x54 0x98
1607 to 2004 0x58 0xA0

These sizes, and the offsets, types and names in the table below are from Microsoft’s symbol files for the kernel starting with Windows 7. The implementation in version 6.0, predating the object type, is very different and type information seems not to have made it into the public symbol files for Windows Vista, but there is evident continuity.

Offset (x86) Offset (x64) Definition Versions Remarks
0x00 0x00
LIST_ENTRY Links;
6.0 and higher  
0x08 (6.0) 0x10 (6.0) unknown HANDLE to pipe 6.0 only  
0x0C (6.0);
0x08
0x18 (6.0);
0x10
HANDLE ProcessHandle;
6.1 and higher  
0x10 (6.0) 0x20 (6.0) unknown 32-bit sequence number as consumer ID 6.0 only  
0x14 (6.0) 0x24 (6.0) unknown 32-bit process ID 6.0 only  
0x18 (6.0) 0x28 (6.0)
ULONG BuffersLost;
6.0 only next at 0x28 and 0x50
0x1C (6.0) 0x2C (6.0)
BOOLEAN NewBuffersLost;
6.0 only next at 0x35 and 0x5D
0x0C 0x18
EPROCESS *ProcessObject;
6.1 and higher  
0x20 (6.0);
0x10
0x30 (6.0);
0x20
PVOID NextNotDelivered;
6.0 and higher  
0x24 (6.0);
0x14
0x38 (6.0);
0x28
PVOID RealtimeConnectContext;
6.0 and higher  
0x28 (6.0) 0x40 (6.0) unknown KEVENT 6.0 only  
0x18 0x30
KEVENT *DisconnectEvent;
6.1 and higher  
0x1C 0x38
KEVENT *DataAvailableEvent;
6.1 and higher  
0x20 0x40
ULONG *UserBufferCount;
6.1 and higher  
0x24 0x48
SINGLE_LIST_ENTRY *UserBufferListHead;
6.1 and higher  
0x28 0x50
ULONG BuffersLost;
6.1 and higher previously at 0x18 and 0x28
0x38 (6.0);
0x2C
0x58 (6.0);
0x54
ULONG EmptyBuffersCount;
6.0 and higher  
0x30 0x58
ULONG LoggerId;
6.1 only  
USHORT LoggerId;
6.2 and higher  
0x3C (6.0);
0x34 (6.1)
0x5C
BOOLEAN ShutDownRequested;
6.0 to 6.1
next in Flags
0x35 (6.1) 0x5D (6.1)
BOOLEAN NewBuffersLost;
6.1 only
previously at 0x1C and 0x2C;
next in Flags
0x36 (6.1) 0x5E (6.1)
BOOLEAN Disconnected;
6.1 only
next in Flags
0x32 0x5A
union {
    UCHAR Flags;
    struct {
        /*  bit fields, see below  */
    };
};
6.2 and higher  
0x38 (6.1);
0x34
0x60
RTL_BITMAP ReservedBufferSpaceBitMap;
6.1 and higher  
0x40 (6.1);
0x3C
0x70
UCHAR *ReservedBufferSpace;
6.1 and higher  
0x44 (6.1);
0x40
0x78
ULONG ReservedBufferSpaceSize;
6.1 and higher  
0x48 (6.1);
0x44
0x7C
ULONG UserPagesAllocated;
6.1 and higher  
0x4C (6.1);
0x48
0x80
ULONG UserPagesReused;
6.1 and higher  
  0x84
BOOLEAN Wow;
6.1 only next in Flags
0x4C 0x88
ULONG *EventsLostCount;
6.3 and higher  
0x50 0x90
ULONG *BuffersLostCount;
6.3 and higher  
0x54 0x98
ETW_SILODRIVERSTATE *SiloState;
1607 and higher  

Flags

Version 6.2 consolidated some one-byte booleans into UCHAR bit fields as Flags, and added one:

Mask (x86) Mask (x64) Definition Versions Remarks
0x01 0x01
UCHAR ShutDownRequest : 1;
6.2 and higher previously BOOLEAN at 0x34 and 0x5C
0x02 0x02
UCHAR NewBuffersLost : 1;
6.2 and higher previously BOOLEAN at 0x35 and 0x5D
0x04 0x04
UCHAR Disconnected : 1;
6.2 and higher previously BOOLEAN at 0x36 and 0x5E
0x08 0x08
UCHAR Notified : 1;
6.2 and higher  
  0x10
UCHAR Wow : 1;
6.2 and higher previously BOOLEAN at 0x84